Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

MALware or worse?


  • This topic is locked This topic is locked

#1
Texx01

Texx01

    Member

  • Member
  • PipPip
  • 28 posts
OK so really would like some help if I could please. Not sure what I have here but is persistent. Malwarebytes can find it but not remove it completely it just comes back. I ran the OTL and have it ready and waiting.

Edited by Texx01, 29 May 2011 - 03:11 PM.

  • 0

Advertisements


#2
patndoris

patndoris

    Trusted Helper

  • Malware Removal
  • 228 posts
Hello and :)

My name is patndoris. I will be glad to take a look at your log and help you with solving any malware problems. It will be very helpful if you follow these guidelines:
  • Malware logs are often lengthy and can take a lot of time to research and interpret. Please be patient while I review your logs.
  • Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
  • Please make sure to carefully read any instruction that I give you. If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • Please follow my instructions carefully and in the order they are posted. You may also find it helpful to print out the instructions you receive.
  • Please do not run any scans or install/uninstall any applications or delete anything without being directed to do so.
  • Remember, absence of symptoms does not mean the infection is all gone. Please stick with me till you're given the "all clear".
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • Please reply within 3 days. If I do not hear back from you in that time frame, I will post a reminder for you. Topics with no reply in 4 days are closed!


Please post the OTL logs you have so they can be reviewed and we can take the appropriate next steps. Please be sure to include the OTL.txt as well as the extras.txt information.
  • 0

#3
Texx01

Texx01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Thanks for seeing my post and thanks for the help.

I ran this after a weekly quick scan of Malwarebites picked up a Trojan.exe I have that log if needed. It was listed as:
Files Infected:
c:\WINDOWS\Temp\explorer.exe (Trojan.Agent)


OTL logfile created on: 5/28/2011 11:05:48 PM - Run 1
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\User\Desktop\Tools
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

494.73 Mb Total Physical Memory | 50.48 Mb Available Physical Memory | 10.20% Memory free
2.40 Gb Paging File | 1.31 Gb Available in Paging File | 54.75% Paging File free
Paging file location(s): C:\pagefile.sys 2048 2048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.00 Gb Total Space | 96.14 Gb Free Space | 64.52% Space Free | Partition Type: NTFS

Computer Name: HOME2 | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/28 23:02:28 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\desktop\Tools\OTL.exe
PRC - [2011/05/17 13:29:46 | 000,395,144 | ---- | M] (Ask) -- C:\Program Files\Ask.com\Updater\Updater.exe
PRC - [2011/05/09 21:59:55 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/01/21 21:06:18 | 000,349,616 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
PRC - [2010/11/30 13:20:36 | 000,997,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2010/11/19 13:29:00 | 004,916,568 | ---- | M] (LeapFrog Enterprises, Inc.) -- C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
PRC - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2009/04/08 05:38:14 | 000,092,008 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
PRC - [2008/07/27 19:02:17 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/03/16 03:00:08 | 001,397,760 | ---- | M] (Nero AG) -- C:\Program Files\Ahead\InCD\InCD.exe
PRC - [2005/07/08 16:24:46 | 000,871,424 | ---- | M] (Nero AG) -- C:\Program Files\Ahead\InCD\InCDsrv.exe
PRC - [2002/09/20 14:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


========== Modules (SafeList) ==========

MOD - [2011/05/28 23:02:28 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\desktop\Tools\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (itlperf)
SRV - [2010/11/19 13:29:00 | 004,916,568 | ---- | M] (LeapFrog Enterprises, Inc.) [Auto | Running] -- C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe -- (LeapFrog Connect Device Service)
SRV - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/04/08 05:38:14 | 000,092,008 | ---- | M] (TomTom) [Auto | Running] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2008/07/27 19:02:17 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Running] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2007/03/20 15:41:24 | 000,153,792 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe -- (Adobe Version Cue CS3)
SRV - [2005/07/08 16:24:46 | 000,871,424 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Ahead\InCD\InCDsrv.exe -- (InCDsrv)
SRV - [2002/09/20 14:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - [2011/05/28 18:53:15 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1613B88A-A9AA-4A8D-B56D-DFF7F41BEDC4}\MpKsl43205821.sys -- (MpKsl43205821)
DRV - [2011/05/28 12:28:03 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1613B88A-A9AA-4A8D-B56D-DFF7F41BEDC4}\MpKsl101a09cc.sys -- (MpKsl101a09cc)
DRV - [2008/04/13 13:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2006/09/24 08:28:46 | 000,005,248 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Boot | Running] -- C:\WINDOWS\system32\speedfan.sys -- (speedfan)
DRV - [2006/06/18 21:02:17 | 000,029,696 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\User\Local Settings\Temp\krdpdre.sys -- (krdpdre)
DRV - [2006/03/16 03:00:08 | 000,028,672 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\InCDrm.sys -- (incdrm)
DRV - [2005/07/08 16:17:54 | 000,099,584 | ---- | M] (Nero AG) [File_System | Disabled | Running] -- C:\WINDOWS\System32\drivers\InCDfs.sys -- (InCDfs)
DRV - [2005/07/08 16:17:36 | 000,029,696 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDpass.sys -- (InCDPass)
DRV - [2004/08/28 12:54:38 | 000,033,995 | ---- | M] (Sonic Focus, Inc) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\sf.sys -- (sf)
DRV - [2004/04/26 09:49:56 | 000,381,056 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2003/10/21 01:07:30 | 000,174,530 | R--- | M] (OmniVision Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ov519vid.sys -- (ovt519)
DRV - [2002/09/20 10:53:34 | 000,235,100 | ---- | M] (Analog Devices Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MidiSyn.sys -- (MidiSyn)
DRV - [2001/08/17 12:12:32 | 000,016,074 | ---- | M] (NETGEAR Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\FA312nd5.sys -- (FA312)
DRV - [2001/08/17 11:19:34 | 000,040,704 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\es1371mp.sys -- (es1371) Creative AudioPCI (ES1371,ES1373) (WDM)
DRV - [1996/04/03 14:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\giveio.sys -- (giveio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: [email protected]:3.11.3.15590
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..keyword.URL: "http://us.yhs.search...2-tb-web_us&p="
FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/09 22:00:05 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/09 22:00:05 | 000,000,000 | ---D | M]

[2009/03/24 01:03:12 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions
[2008/12/23 22:14:00 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions\[email protected]
[2011/05/09 19:14:00 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\la83ce80.default\extensions
[2010/04/28 08:09:18 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\la83ce80.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/03/03 22:18:25 | 000,000,000 | ---D | M] (New Tabs at the End) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\la83ce80.default\extensions\[email protected]
[2011/05/28 14:02:24 | 000,000,000 | ---D | M] (Ask Toolbar) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\la83ce80.default\extensions\[email protected]
[2011/05/09 19:14:00 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/15 08:36:36 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/10/15 21:39:22 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2010/12/17 01:23:26 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
File not found (No name found) --
[2010/05/15 08:36:20 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/05/09 21:59:54 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2011/04/30 19:57:14 | 000,466,944 | ---- | M] (Catalina Marketing Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPcol400.dll
[2011/04/30 19:57:14 | 000,466,944 | ---- | M] (Catalina Marketing Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPcol500.dll
[2009/11/19 17:16:28 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2010/11/12 18:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/11/19 17:16:29 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
[2011/05/09 21:59:58 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

Hosts file not found
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [ApnUpdater] C:\Program Files\Ask.com\Updater\Updater.exe (Ask)
O4 - HKLM..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe (Nero AG)
O4 - HKCU..\Run: [PowerBar] C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe (Cyberlink, Corp.)
O4 - Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll (Google Inc.)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (Intertrust Technologies, Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.appl...ex/qtplugin.cab (QuickTime Plugin Control)
O16 - DPF: {32505657-9980-0010-8000-00AA00389B71} http://download.micr...01F/wmvadvd.cab (Reg Error: Key error.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1279164465406 (MUWebControl Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2....re/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.h...ctDetection.cab (GMNRev Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} http://offers.e-cent...bin/actxcab.cab (CBSTIEPrint Class)
O16 - DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: Web-Based Email Tools http://email.secures...et/Download.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\itlntfy: DllName - itlnfw32.dll - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/27 16:48:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/11/08 08:57:20 | 000,000,000 | ---D | M] - C:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\{b8f4da71-6ac9-11de-b0f6-0011112d1dbc}\Shell\AutoRun\command - "" = D:\InstallTomTomHOME.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/28 19:18:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/05/28 13:49:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/05/28 13:49:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/05/27 22:23:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/05/27 00:10:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/05/27 00:10:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/05/12 00:27:49 | 000,000,000 | -HSD | C] -- C:\WINDOWS\ftpcache
[2011/05/07 17:54:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\New Folder
[2011/04/30 19:57:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Catalina Marketing Corp
[2011/04/30 19:56:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Start Menu\Programs\Catalina Marketing Corp
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/28 23:01:52 | 000,000,232 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2011/05/28 22:21:54 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/05/28 20:55:48 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/05/28 18:58:16 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/05/28 18:53:38 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/28 18:53:13 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/05/28 18:53:00 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/28 11:45:43 | 001,553,968 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/05/24 07:01:31 | 000,870,128 | ---- | M] () -- C:\Documents and Settings\User\Application Data\mcs.rma
[2011/05/24 07:01:31 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\User\Application Data\51AE63
[2011/05/20 06:46:51 | 000,008,451 | ---- | M] () -- C:\WINDOWS\cdplayer.ini
[2011/05/07 19:24:36 | 000,000,022 | ---- | M] () -- C:\WINDOWS\kodakpcd.User.ini
[2011/05/07 18:26:41 | 000,049,664 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/27 00:10:59 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/05/09 22:00:08 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2011/05/07 19:24:36 | 000,000,022 | ---- | C] () -- C:\WINDOWS\kodakpcd.User.ini
[2010/04/30 23:28:59 | 000,008,451 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2010/04/23 00:35:35 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\User\Application Data\51AE63
[2010/04/23 00:35:34 | 000,870,128 | ---- | C] () -- C:\Documents and Settings\User\Application Data\mcs.rma
[2010/03/01 21:23:15 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/01/06 00:13:34 | 000,200,704 | R--- | C] () -- C:\WINDOWS\sel3110.exe
[2010/01/06 00:13:34 | 000,040,960 | R--- | C] () -- C:\WINDOWS\CleanDev.exe
[2010/01/06 00:13:33 | 000,032,528 | R--- | C] () -- C:\WINDOWS\amcap.exe
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2009/03/24 01:03:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/02/10 12:12:31 | 000,073,220 | ---- | C] () -- C:\WINDOWS\System32\EPPICPrinterDB.dat
[2009/02/10 12:12:31 | 000,031,053 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern131.dat
[2009/02/10 12:12:31 | 000,029,114 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern1.dat
[2009/02/10 12:12:31 | 000,027,417 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern121.dat
[2009/02/10 12:12:31 | 000,021,021 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern3.dat
[2009/02/10 12:12:31 | 000,015,670 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern5.dat
[2009/02/10 12:12:31 | 000,013,280 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern2.dat
[2009/02/10 12:12:31 | 000,010,673 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern4.dat
[2009/02/10 12:12:31 | 000,004,943 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern6.dat
[2009/02/10 12:12:31 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_PT.dat
[2009/02/10 12:12:31 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_BP.dat
[2009/02/10 12:12:31 | 000,001,137 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_ES.dat
[2009/02/10 12:12:31 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_FR.dat
[2009/02/10 12:12:31 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_CF.dat
[2009/02/10 12:12:31 | 000,001,104 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_EN.dat
[2009/02/10 12:12:31 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2009/02/10 12:11:16 | 000,000,044 | ---- | C] () -- C:\WINDOWS\EPWF500.ini
[2008/12/16 00:07:38 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/09/17 21:40:19 | 000,049,664 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/09/14 14:50:38 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2008/09/11 22:27:18 | 000,012,415 | ---- | C] () -- C:\WINDOWS\hpdj5100.ini
[2008/09/11 21:52:18 | 000,269,056 | ---- | C] () -- C:\WINDOWS\Invasion3042 Uninstaller.exe
[2008/09/10 21:28:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\lgfwup.ini
[2008/09/10 21:21:40 | 000,040,960 | ---- | C] () -- C:\Program Files\Uninstall_CDS.exe
[2008/07/27 19:12:28 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2008/07/27 16:50:26 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/07/27 16:45:27 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/07/27 13:38:32 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/07/27 13:37:31 | 001,553,968 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2006/02/28 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/02/28 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/02/28 07:00:00 | 000,435,260 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/02/28 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/02/28 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/02/28 07:00:00 | 000,068,156 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/02/28 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/02/28 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/02/28 07:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/02/28 07:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/02/28 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2006/02/28 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[1996/04/03 14:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== LOP Check ==========

[2009/09/16 08:36:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Electronic Arts
[2009/02/10 12:13:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2010/12/26 12:52:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Leapfrog
[2008/12/23 22:14:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TomTom
[2010/11/13 20:06:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\usb-set
[2011/04/30 19:57:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Catalina Marketing Corp
[2009/02/10 12:19:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\EPSON
[2010/08/05 23:54:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\GlarySoft
[2008/09/10 21:26:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\InterTrust
[2009/02/10 12:15:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Leadertech
[2008/10/18 22:47:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\LucasArts
[2010/09/06 09:25:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\MSNInstaller
[2008/10/24 21:22:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Petroglyph
[2010/06/07 09:56:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\SanDisk
[2008/09/10 20:19:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\SPORE
[2008/12/23 22:13:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\TomTom
[2011/05/28 18:58:16 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2011/05/28 23:01:52 | 000,000,232 | ---- | M] () -- C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job

========== Purity Check ==========



< End of report >
  • 0

#4
patndoris

patndoris

    Trusted Helper

  • Malware Removal
  • 228 posts
Can you please also post the contents of the extras.txt log from when you ran OTL? There are a few things in there I'd like to see as well.



Scan With RootKitUnHooker

  • Please choose one link and download Rootkit Unhooker and save it to your desktop.

    Link 1
    Link 2
    Link 3
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers and Stealth
  • Uncheck the rest. then click OK
  • When prompted to Select Disks for Scan, make sure C:/ is checked and click OK
  • Wait till the scanner has finished and then click File > Save Report.
  • Save the report somewhere where you can find it. Click Close.
  • Copy the entire contents of the report and paste it in your next reply.

Note** you may get the following warning, just click OK and continue.

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

  • 0

#5
Texx01

Texx01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2265088 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2265088 bytes
0x804D7000 RAW 2265088 bytes
0x804D7000 WMIxWDM 2265088 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF7015000 C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 1302528 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xBF077000 C:\WINDOWS\System32\ialmdd5.DLL 925696 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0xF7619000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xAC2BE000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF6EC4000 C:\WINDOWS\system32\drivers\senfilt.sys 385024 bytes (Sensaura, Sensaura WDM 3D Audio Driver)
0xF6E0E000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xAC3C9000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xAC0B8000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBF159000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xAA99E000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF6F42000 C:\WINDOWS\system32\drivers\smwdm.sys 262144 bytes (Analog Devices, Inc., SoundMAX Integrated Digital Audio )
0xBF042000 C:\WINDOWS\System32\ialmdev5.DLL 217088 bytes (Intel Corporation, Component GHAL Driver)
0xF6E6C000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF7770000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xAC188000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF75EC000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xAC32E000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xAC295000 C:\WINDOWS\System32\Drivers\ov519vid.sys 167936 bytes (OmniVision Technologies, Inc., Dual Mode USB Camera 519 Stream Class Mini Driver)
0xAC37B000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xAC46E000 C:\WINDOWS\system32\DRIVERS\MpFilter.sys 159744 bytes (Microsoft Corporation, Microsoft antimalware file system filter driver)
0xF771A000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xAC3A3000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xABDC4000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF6FB9000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF6FDD000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF6F96000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xAC359000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xBF020000 C:\WINDOWS\System32\ialmdnt5.dll 139264 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0x80700000 ACPI_HAL 134400 bytes
0x80700000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF6F22000 C:\WINDOWS\system32\drivers\aeaudio.sys 131072 bytes (Andrea Electronics Corporation, Andrea Audio Noise Cancellation Driver)
0xF76E2000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF7740000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF75D2000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xAC435000 C:\WINDOWS\System32\Drivers\InCDfs.SYS 102400 bytes (Nero AG, InCD File System Driver)
0xF7702000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xAC27D000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF76B9000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF6EAD000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xABD0F000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF6F82000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF7001000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xAC422000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xF76A6000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF76D0000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF775F000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF6E9C000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xAC91D000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF78EF000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF78CF000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF78AF000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF78FF000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF798F000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xAC8ED000 C:\WINDOWS\system32\drivers\usbaudio.sys 61440 bytes (Microsoft Corporation, USB Audio Class Driver)
0xF2A80000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBF012000 C:\WINDOWS\System32\ialmrnt5.dll 57344 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xF77FF000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF78BF000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF790F000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xAC8FD000 C:\WINDOWS\System32\Drivers\STREAM.SYS 53248 bytes (Microsoft Corporation, WDM CODEC Class Device Driver 2.0)
0xF77DF000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF792F000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xAC94D000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF78DF000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF77CF000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF791F000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF789F000 C:\WINDOWS\system32\drivers\es1371mp.sys 40960 bytes (Creative Technology Ltd., ENSONIQ AudioPCI 97 WDM Audio Miniport)
0xF77BF000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF2DC4000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF7292000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF19EE000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xF77EF000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xAC90D000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF788F000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF793F000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xAC95D000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xAD41F000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF7B9F000 C:\WINDOWS\System32\DRIVERS\InCDPass.sys 32768 bytes (Nero AG, Ahead RW Filter Driver)
0xF4505000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF7BA7000 C:\WINDOWS\system32\drivers\sf.sys 32768 bytes (Sonic Focus, Inc, DSP service driver 08-28-2004 build for SF 1.X)
0xF2311000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF7B7F000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7B8F000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF451D000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF7B97000 C:\WINDOWS\System32\Drivers\incdrm.SYS 28672 bytes (Nero AG, Ahead MRW Filter Driver)
0xF7A3F000 C:\WINDOWS\System32\Drivers\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF2309000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)
0xF7B87000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF7BC7000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF2319000 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1613B88A-A9AA-4A8D-B56D-DFF7F41BEDC4}\MpKsl0035e527.sys 24576 bytes (Microsoft Corporation, KSLDriver)
0xF2329000 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1613B88A-A9AA-4A8D-B56D-DFF7F41BEDC4}\MpKsl0ec355b3.sys 24576 bytes (Microsoft Corporation, KSLDriver)
0xF2339000 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1613B88A-A9AA-4A8D-B56D-DFF7F41BEDC4}\MpKsl101a09cc.sys 24576 bytes (Microsoft Corporation, KSLDriver)
0xF2349000 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1613B88A-A9AA-4A8D-B56D-DFF7F41BEDC4}\MpKsl31cdade4.sys 24576 bytes (Microsoft Corporation, KSLDriver)
0xF44ED000 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1613B88A-A9AA-4A8D-B56D-DFF7F41BEDC4}\MpKsl43205821.sys 24576 bytes (Microsoft Corporation, KSLDriver)
0xF44F5000 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1613B88A-A9AA-4A8D-B56D-DFF7F41BEDC4}\MpKslb3d5d940.sys 24576 bytes (Microsoft Corporation, KSLDriver)
0xF44FD000 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1613B88A-A9AA-4A8D-B56D-DFF7F41BEDC4}\MpKslb4b644f4.sys 24576 bytes (Microsoft Corporation, KSLDriver)
0xF7B0F000 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1613B88A-A9AA-4A8D-B56D-DFF7F41BEDC4}\MpKslf29f34fe.sys 24576 bytes (Microsoft Corporation, KSLDriver)
0xF7B3F000 C:\WINDOWS\System32\Drivers\ov519cmd.sys 24576 bytes (OmniVision Technologies Inc., Dual Mode USB Camera 519 Universal Serial Bus Camera Driver)
0xF7B77000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF4515000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xACE7D000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF450D000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7A47000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7BB7000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7BBF000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF7BAF000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xB18B0000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF7CB7000 C:\WINDOWS\system32\DRIVERS\FA312nd5.sys 16384 bytes (NETGEAR Corp., NETGEAR FA312 Fast Ethernet NDIS 5.0 Miniport Driver)
0xF7C5B000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB16E6000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7CBB000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF7BD3000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF7C67000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF32B5000 C:\WINDOWS\system32\DRIVERS\gameenum.sys 12288 bytes (Microsoft Corporation, Game Port Enumerator)
0xB1666000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xB169A000 C:\WINDOWS\System32\Drivers\InCDrec.SYS 12288 bytes (Nero AG, InCD File System Recognizer)
0x862FD000 C:\WINDOWS\system32\KDCOM.DLL 12288 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xB1662000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF759A000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB1696000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7CE9000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7CC3000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF7CF3000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7CE7000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7CC1000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF7CEB000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF17A1000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF7CED000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7CC5000 speedfan.sys 8192 bytes
0xF7CFF000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7D7D000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7CBF000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7E11000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xAC717000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7D88000 giveio.sys 4096 bytes
0xF7F0B000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7D87000 PCIIde.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
!!!!!!!!!!!Hidden driver: 0x8636731B ?_empty_? 3301 bytes
==============================================
>Stealth
==============================================
0xF7702000 WARNING: suspicious driver modification [atapi.sys::0x8636731B]
  • 0

#6
Texx01

Texx01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
OTL Extras logfile created on: 10/16/2010 1:40:58 AM - Run 1
OTL by OldTimer - Version 3.2.15.2 Folder = C:\Documents and Settings\User\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

495.00 Mb Total Physical Memory | 73.00 Mb Available Physical Memory | 15.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 2048 2048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.00 Gb Total Space | 101.62 Gb Free Space | 68.20% Space Free | Partition Type: NTFS

Computer Name: HOME2 | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3703:TCP" = 3703:TCP:*:Enabled:Adobe Version Cue CS3 Server
"3704:TCP" = 3704:TCP:*:Enabled:Adobe Version Cue CS3 Server
"50900:TCP" = 50900:TCP:*:Enabled:Adobe Version Cue CS3 Server
"50901:TCP" = 50901:TCP:*:Enabled:Adobe Version Cue CS3 Server

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe" = C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server -- (Adobe Systems Incorporated)
"C:\Program Files\Electronic Arts\EADM\Core.exe" = C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager -- File not found
"C:\Program Files\LucasArts\Star Wars Empire at War\GameData\sweaw.exe" = C:\Program Files\LucasArts\Star Wars Empire at War\GameData\sweaw.exe:*:Enabled:Star Wars: Empire at War -- (Lucasfilm Entertainment Company, Ltd.)
"C:\Program Files\LucasArts\Star Wars Empire at War\GameData\fpupdate.exe" = C:\Program Files\LucasArts\Star Wars Empire at War\GameData\fpupdate.exe:*:Enabled:fpupdate -- ()
"C:\Program Files\LucasArts\Star Wars Empire at War Forces of Corruption\swfoc.exe" = C:\Program Files\LucasArts\Star Wars Empire at War Forces of Corruption\swfoc.exe:*:Enabled:Star Wars™: Empire at War™: Forces of Corruption™ -- (Lucasfilm Entertainment Company, Ltd.)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\Rhapsody\rhapsody.exe" = C:\Program Files\Rhapsody\rhapsody.exe:*:Enabled:RealNetworks Rhapsody -- (Rhapsody International Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3
"{0224CACC-994D-45F8-B973-D65056EA9C2F}" = Adobe XMP DVA Panels CS3
"{0327FA9D-975C-448C-A086-577D57BB25B8}" = Adobe Soundbooth CS3 Codecs
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{15C165F1-1DAE-4476-AFB6-8723729B41E7}" = hp deskjet 5100
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{193EAFD0-1BAF-4FB4-B18F-79D5D6A4B285}" = Adobe After Effects CS3 Presets
"{1D58229F-C505-45CA-8223-F35F3A34B963}" = Adobe Version Cue CS3 Server {ko_KR}
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = Multimedia Launcher
"{2222B364-0854-4265-B32E-A142DB9DC7BB}" = Intel® PRO Network Connections 11.2.0.69
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}" = Adobe ExtendScript Toolkit 2
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 22
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}" = Adobe Flash Video Encoder
"{3248F0A8-6813-11D6-A77B-00B0D0150120}" = J2SE Runtime Environment 5.0 Update 12
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4458C442-7376-4CF9-AF58-E8CEA6722363}" = Adobe Setup
"{485ACF57-F364-440A-8496-E1E81C8FA1AA}" = Adobe Premiere Pro CS3 Third Party Content
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{50F102CA-4BE2-41A9-9810-5BB05EB91B9A}" = Adobe Premiere Pro CS3 Functional Content
"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{54B2EAD9-A110-43F7-B010-2859A1BD2AFE}" = Adobe Encore CS3
"{58DCEEE5-532E-44F4-B1D7-A146EF9E9FDA}" = Adobe Premiere Pro CS3
"{6179550A-3E7C-499E-BCC9-9E8113E0A285}" = LG ODD Auto Firmware Update
"{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}" = Adobe Setup
"{6592FDEC-2C1A-413A-9985-25FEC2F0848D}" = Star Wars Empire at War Forces of Corruption
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6B52140A-F189-4945-BFFC-DB3F00B8C589}" = Adobe Flash CS3
"{6B708481-748A-4EB4-97C1-CD386244FF77}" = Adobe MotionPicture Color Files
"{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}" = AHV content for Acrobat and Flash
"{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}" = Adobe Color Common Settings
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7ACFB90E-8FD0-4397-AD3A-5195412623A3}" = Adobe Help Viewer CS3
"{7C10F5C7-F00F-4BD3-A110-C7D240D2DD25}" = Adobe Dreamweaver CS3
"{7DFC1012-D346-46CE-B03E-FF79125AE029}" = Adobe Fireworks CS3
"{845A8DB9-8802-4FD3-9FE3-938A6C46A2EC}" = Adobe Video Profiles
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{8718DC03-D066-4957-94E5-50C3C5042E8E}" = Adobe Creative Suite 3 Master Collection
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISER_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISER_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISER_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{98786147-80E3-41A5-A80C-1F3C028558CF}" = Hearts of Iron 2
"{99AE7207-8612-4DBA-A8F8-BAE5C633390D}" = Star Wars Empire at War
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{9DF0196F-B6B8-4C3A-8790-DE42AA530101}" = SPORE™
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A6B23EFA-6590-482C-A11F-5ACE1B91F5B9}" = Adobe Soundbooth CS3
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-1033-0000-7760-000000000003}" = Adobe Acrobat 8 Professional
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}" = Adobe Setup
"{B671CBFD-4109-4D35-9252-3062D3CCB7B2}" = Adobe SING CS3
"{B73CFB12-C814-4638-AFFD-7E3AAFAF0B4E}" = Adobe BridgeTalk Plugin CS3
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
"{B8B7A4D8-80E1-4DAE-BD33-7FD535BA3931}" = Adobe Encore CS3 Codecs
"{B97CF5C3-0487-11D8-A36E-0050BAE317E1}" = DVD Solution
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{BE5F3842-8309-4754-92D5-83E02E6077A3}" = Adobe Extension Manager CS3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C5BD220A-EFE8-48A5-B70E-9503D535FACE}" = Adobe WAS CS3
"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection
"{CB3F8375-B600-4B9F-83C9-238ED1E583FD}" = Adobe InDesign CS3
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{D5A31AB1-345D-47C7-A87B-036A669F6DF1}" = Adobe XMP Panels CS3
"{D6D425D2-803F-40E8-9D65-3DC00D577C11}" = NavyFIELD NorthAmerica
"{D755C7A3-C03E-4460-8C00-AC6E55505FB5}" = LightScribe 1.4.74.1
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{E0DD652C-F2FC-4FB8-90D7-CCC0D90F56D8}" = Windows Media Player 10 SDK
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}" = Adobe InDesign CS3 Icon Handler
"{EB0202F7-016A-410C-ADE4-40F848CCC661}" = Adobe After Effects CS3
"{F08E8D2E-F132-4742-9C87-D5FF223A016A}" = Adobe Illustrator CS3
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{FC9E08AA-CD59-4C59-BEF9-87E05B9E37D7}" = Adobe Contribute CS3
"7-Zip" = 7-Zip 4.65
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Acrobat 8 Professional_824" = Adobe Acrobat 8.2.4 - CPSID_83708
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Adobe_3e054d2218e7aa282c2369d939e58ff" = Adobe ExtendScript Toolkit 2
"Adobe_4dcfd9b7e901b57f81f667144603236" = Add or Remove Adobe Creative Suite 3 Master Collection
"Adobe_6c8e2cb4fd241c55406016127a6ab2e" = Adobe Color Common Settings
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"Coupon Printer for Windows5.0.0.0" = Coupon Printer for Windows
"ENTERPRISER" = Microsoft Office Enterprise 2007
"EPSON Scanner" = EPSON Scan
"EPSON WorkForce 500 Series" = EPSON WorkForce 500 Series Printer Uninstall
"ERUNT_is1" = ERUNT 1.1j
"Free RAR Extract Frog 1.00" = Free RAR Extract Frog 1.00
"Homeworld2" = Homeworld2
"HW2 FX-MOD_is1" = FX MOD 1.71
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InCD!UninstallKey" = InCD
"Invasion3042" = Invasion3042
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.10)" = Mozilla Firefox (3.6.10)
"MSNINST" = MSN
"Nero - Burning Rom!UninstallKey" = Nero OEM
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"pepakura_viewer3en" = Pepakura Viewer 3
"Rhapsody" = Rhapsody
"TomTom HOME" = TomTom HOME 2.6.2.1586
"Ultimate Mahjongg 10" = Ultimate Mahjongg 10
"VGA USB Camera" = VGA USB Camera
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xfire" = Xfire (remove only)

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/5/2010 10:46:59 AM | Computer Name = HOME2 | Source = Application Error | ID = 1000
Description = Faulting application avgnsx.exe, version 8.5.0.401, faulting module
avgxpl.dll, version 8.5.0.401, fault address 0x00021592.

Error - 9/6/2010 9:44:29 AM | Computer Name = HOME2 | Source = Application Error | ID = 1000
Description = Faulting application avgnsx.exe, version 8.5.0.401, faulting module
avgxpl.dll, version 8.5.0.401, fault address 0x00021592.

Error - 9/8/2010 12:30:51 AM | Computer Name = HOME2 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.2.3855, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 10/1/2010 1:31:25 AM | Computer Name = HOME2 | Source = Application Error | ID = 1000
Description = Faulting application navyfield.exe, version 0.0.0.0, faulting module
main.dll, version 0.0.0.0, fault address 0x001b39be.

Error - 10/1/2010 2:03:55 AM | Computer Name = HOME2 | Source = Application Error | ID = 1000
Description = Faulting application navyfield.exe, version 0.0.0.0, faulting module
main.dll, version 0.0.0.0, fault address 0x0021017c.

Error - 10/9/2010 2:19:54 AM | Computer Name = HOME2 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.2.3909, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 10/9/2010 2:19:57 AM | Computer Name = HOME2 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.2.3909, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 10/9/2010 2:19:58 AM | Computer Name = HOME2 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.2.3909, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 10/13/2010 12:16:51 AM | Computer Name = HOME2 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.2.3909, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 10/13/2010 12:16:52 AM | Computer Name = HOME2 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.2.3909, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ OSession Events ]
Error - 12/6/2009 11:48:28 PM | Computer Name = HOME2 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 6772
seconds with 5460 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 10/11/2010 8:01:01 AM | Computer Name = HOME2 | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.1.46 on
the Network Card with network address 0011112D1DBC.

Error - 10/13/2010 12:12:39 AM | Computer Name = HOME2 | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.1.46 on
the Network Card with network address 0011112D1DBC.

Error - 10/15/2010 8:44:24 AM | Computer Name = HOME2 | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.1.46 on
the Network Card with network address 0011112D1DBC.

Error - 10/15/2010 11:16:31 PM | Computer Name = HOME2 | Source = Service Control Manager | ID = 7000
Description = The MCSTRM service failed to start due to the following error: %%2

Error - 10/16/2010 2:17:29 AM | Computer Name = HOME2 | Source = Service Control Manager | ID = 7000
Description = The MCSTRM service failed to start due to the following error: %%2

Error - 10/16/2010 2:28:59 AM | Computer Name = HOME2 | Source = Service Control Manager | ID = 7000
Description = The MCSTRM service failed to start due to the following error: %%2


< End of report >
  • 0

#7
patndoris

patndoris

    Trusted Helper

  • Malware Removal
  • 228 posts
Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
  • 0

#8
Texx01

Texx01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Looks like this did the trick no more redirects and my sound is back on. I hope the log shows that it is clean.


C:\Documents and Settings\User\Desktop\Tools\Data Sheets
ComboFix 11-06-04.02 - User 06/03/2011 22:27:31.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.495.48 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\NetworkService\Local Settings\Application Data\mejerux.dll
c:\program files\INSTALL.LOG
c:\windows\system32\BSTIEPrintCtl1.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ITLPERF
-------\Service_itlperf
.
.
((((((((((((((((((((((((( Files Created from 2011-05-04 to 2011-06-04 )))))))))))))))))))))))))))))))
.
.
2011-06-04 04:06 . 2011-06-04 04:06 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56140C6B-7B29-432B-AE04-A3B4A909CF30}\MpKsla363df49.sys
2011-06-04 02:48 . 2011-06-04 02:48 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56140C6B-7B29-432B-AE04-A3B4A909CF30}\MpKsl562b0ae0.sys
2011-06-03 22:42 . 2011-05-09 20:46 6962000 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56140C6B-7B29-432B-AE04-A3B4A909CF30}\mpengine.dll
2011-06-02 23:14 . 2011-06-02 23:17 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-06-01 11:36 . 2011-06-01 11:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-29 00:18 . 2011-05-29 00:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-05-12 05:27 . 2011-05-12 05:27 -------- d-sh--w- c:\windows\ftpcache
2011-05-10 02:59 . 2011-05-10 02:59 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-10 02:59 . 2011-05-10 02:59 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-10 02:59 . 2011-05-10 02:59 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-10 02:59 . 2011-05-10 02:59 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-10 02:59 . 2011-05-10 02:59 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-10 02:59 . 2011-05-10 02:59 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-05-10 02:59 . 2011-05-10 02:59 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-05-10 02:59 . 2011-05-10 02:59 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-25 00:14 . 2010-10-16 07:16 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-05-09 20:46 . 2010-10-17 16:42 6962000 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-03-07 05:33 . 2008-07-27 21:45 692736 ----a-w- c:\windows\system32\inetcomm.dll
2004-10-01 20:00 . 2008-09-11 02:21 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2011-05-10 02:59 . 2011-05-10 02:59 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-05-17 18:29 1490312 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-13 39408]
"PowerBar"="c:\program files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" [2004-04-21 86016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-03-16 1397760]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-05-17 395144]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-12 413696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Microsoft Office Groove Audit Service"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
"igfxtray"=c:\windows\system32\igfxtray.exe
"igfxhkcmd"=c:\windows\system32\hkcmd.exe
"igfxpers"=c:\windows\system32\igfxpers.exe
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
"SoundMAXPnP"=c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe
"Adobe_ID0EYTHM"=c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" blrun
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe"
"HPDJ Taskbar Utility"=c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\fpupdate.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War Forces of Corruption\\swfoc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
.
R1 MpKsl562b0ae0;MpKsl562b0ae0;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56140C6B-7B29-432B-AE04-A3B4A909CF30}\MpKsl562b0ae0.sys [6/3/2011 9:48 PM 28752]
R1 MpKsla363df49;MpKsla363df49;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56140C6B-7B29-432B-AE04-A3B4A909CF30}\MpKsla363df49.sys [6/3/2011 11:06 PM 28752]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/8/2009 5:38 AM 92008]
S1 MpKsl01375d09;MpKsl01375d09;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{52CC2763-6795-4F4B-ACA1-91072C608453}\MpKsl01375d09.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{52CC2763-6795-4F4B-ACA1-91072C608453}\MpKsl01375d09.sys [?]
S1 MpKsl22a35883;MpKsl22a35883;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CC0A26A0-9877-49B5-8F95-7003387B4F45}\MpKsl22a35883.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CC0A26A0-9877-49B5-8F95-7003387B4F45}\MpKsl22a35883.sys [?]
S1 MpKsl2f59733b;MpKsl2f59733b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{83B27CD3-1A11-4692-8285-0188132F9DE9}\MpKsl2f59733b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{83B27CD3-1A11-4692-8285-0188132F9DE9}\MpKsl2f59733b.sys [?]
S1 MpKsl3b450fae;MpKsl3b450fae;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{973261E3-7CC4-493B-82D8-ECD852254FD3}\MpKsl3b450fae.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{973261E3-7CC4-493B-82D8-ECD852254FD3}\MpKsl3b450fae.sys [?]
S1 MpKsl40166da2;MpKsl40166da2;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{270EB84C-17E5-4FF4-845B-A18635983272}\MpKsl40166da2.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{270EB84C-17E5-4FF4-845B-A18635983272}\MpKsl40166da2.sys [?]
S1 MpKsl4f3e2792;MpKsl4f3e2792;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{94F6AAD1-9406-4646-87AE-692777AF0118}\MpKsl4f3e2792.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{94F6AAD1-9406-4646-87AE-692777AF0118}\MpKsl4f3e2792.sys [?]
S1 MpKsl64572d2b;MpKsl64572d2b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{668F37A9-DA64-4B48-822F-F84FDEE633DD}\MpKsl64572d2b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{668F37A9-DA64-4B48-822F-F84FDEE633DD}\MpKsl64572d2b.sys [?]
S1 MpKsl99b4965b;MpKsl99b4965b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{94F6AAD1-9406-4646-87AE-692777AF0118}\MpKsl99b4965b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{94F6AAD1-9406-4646-87AE-692777AF0118}\MpKsl99b4965b.sys [?]
S1 MpKsl9fb2e619;MpKsl9fb2e619;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1613B88A-A9AA-4A8D-B56D-DFF7F41BEDC4}\MpKsl9fb2e619.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1613B88A-A9AA-4A8D-B56D-DFF7F41BEDC4}\MpKsl9fb2e619.sys [?]
S1 MpKslcc76cc7a;MpKslcc76cc7a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{96B71B2F-7271-431C-961C-3C03AA597726}\MpKslcc76cc7a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{96B71B2F-7271-431C-961C-3C03AA597726}\MpKslcc76cc7a.sys [?]
S1 MpKsldf6aea94;MpKsldf6aea94;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0F876F22-6232-433E-84DB-59359B06E3A5}\MpKsldf6aea94.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0F876F22-6232-433E-84DB-59359B06E3A5}\MpKsldf6aea94.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/9/2010 6:49 PM 135664]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/9/2010 6:49 PM 135664]
S3 krdpdre;krdpdre;\??\c:\docume~1\User\LOCALS~1\Temp\krdpdre.sys --> c:\docume~1\User\LOCALS~1\Temp\krdpdre.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLA363DF49
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-09 23:49]
.
2011-06-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-09 23:49]
.
2011-06-04 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-05-17 18:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\la83ce80.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Notify-itlntfy - itlnfw32.dll
AddRemove-Adobe Flash Player Plugin - c:\windows\system32\Macromed\Flash\FlashUtil10p_Plugin.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-03 23:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3160828AS rev.8.03 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8636631B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1409082233-492894223-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:ff,6b,5b,d9,d3,d5,e1,70,1c,8b,66,e3,7b,72,d6,b0,e1,56,f7,c1,90,
6f,af,d1,cb,d8,06,63,af,2c,e0,1e,77,18,83,92,04,ec,17,f2,00,fd,79,b7,eb,e1,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(544)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(604)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3592)
c:\windows\system32\WININET.dll
c:\program files\Microsoft Office\Office12\GrooveShellExtensions.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-06-03 23:15:31 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-04 04:15
.
Pre-Run: 103,383,339,008 bytes free
Post-Run: 104,145,956,864 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 2F6961CEDF394A0EB9062E40A95D058A
  • 0

#9
patndoris

patndoris

    Trusted Helper

  • Malware Removal
  • 228 posts
I'm glad things are running better. No one tool looks in all locations for malware, so we like to run a couple of different scans to be as sure as possible a machine is clean. We'll also have a little updating to do once these scans are done.


I see you have Malwarebytes already on your machine. Please run it by double clicking the icon on the desktop.
  • Click on the tab labeled Update and then click on the button Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
    Posted Image
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.




This scan make take awhile depending on how many items are on the computer. You may want to run it at a time you won't be needing the machine. It should be run from IE and I'd recommend not doing anything else while it's running.


http://www.eset.eu/online-scanner
Go here to run an online scannner from ESET.
Click the green ESET Online Scanner button.
Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
Click on the Start button next to it.
You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
A new window will appear asking "Do you want to install this software?"".
Answer Yes to download and install the ActiveX controls that allows the scan to run.
Click Start.
Uncheck Remove found threats.
Click Scan to begin.
If offered the option to get information or buy software. Just close the window.
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic.
  • 0

#10
Texx01

Texx01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Here are the logs:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6769

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

6/4/2011 10:28:53 AM
mbam-log-2011-06-04 (10-28-53).txt

Scan type: Quick scan
Objects scanned: 157740
Time elapsed: 8 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

Advertisements


#11
Texx01

Texx01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
[email protected] as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17096 (vista_gdr.110211-1830)
# OnlineScanner.ocx=1.0.0.6522
# api_version=3.0.2
# EOSSerial=bfa78044e1a9174bbb62c2a79cca07be
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-06-04 05:21:40
# local_time=2011-06-04 12:21:40 (-0500, Eastern Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5891 16776869 42 88 0 18307358 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=180242
# found=4
# cleaned=0
# scan_time=5613
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\12\21b718cc-32c50431 a variant of Java/TrojanDownloader.OpenStream.NCE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\12\21b718cc-4bb0a233 a variant of Java/TrojanDownloader.OpenStream.NCE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\12\21b718cc-5b93112a a variant of Java/TrojanDownloader.OpenStream.NCE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\12\21b718cc-6dfd35d1 a variant of Java/TrojanDownloader.OpenStream.NCE trojan (unable to clean) 00000000000000000000000000000000 I
  • 0

#12
patndoris

patndoris

    Trusted Helper

  • Malware Removal
  • 228 posts
Great! The items found by ESET are easily removed.


Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 25 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 25 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u25 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u25-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.



Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean



The following will implement some cleanup procedures as well as reset System Restore points:
  • Click Start > Run
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  • Posted Image


Now to remove most of the tools that we have used in fixing your machine:
  • Run OTL.exe
  • This time, click on the CleanUp button.

If you notice any remaining tools or files you can delete them by right clicking and choosing delete. I would advise keeping Malwarebytes as it is a program you'll want to run regularly.



There are no logs to post. Just let me know when you are done with these steps and I'll give you some final tips for staying malware free.
  • 0

#13
Texx01

Texx01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
OK found time to run though the last steps but after rebooting and jumping on I found that my system slowed right down again. Opening up Task manager and I still have an svchost.exe running at full speed and eating up my cpu.
  • 0

#14
patndoris

patndoris

    Trusted Helper

  • Malware Removal
  • 228 posts
To be on the safe side, let's run a new OTL log and get a different rootkit scan.



OTL Custom Scan

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under Custom Scan paste this in

    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %PROGRAMFILES%\Internet Explorer\*.dat
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
  • You may need two posts to fit them both in.




Download and Run GMER

Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that may have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one - make sure it is UNCHECKED)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

  • 0

#15
Texx01

Texx01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hmm having trouble posting the logs I keep getting a page timed out error
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP